Infosec Institute

Open Bug Bounty mentioned in the
Top 6 Bug Bounty programs of
2022 by the InfoSec Institute

The Hacker News

Open Bug Bounty named among the
Top 5 Bug Bounty programs of 2021
by The Hacker News

Platform update: please use our new authentication mechanism to securely use the Open Bug Bounty Platform.
For security researchers
Report a Vulnerability
Submit, help fixing, get kudos.
For website owners
Start a Bug Bounty
Run your bounty program for free.
1,703,071 coordinated disclosures
1,356,501 fixed vulnerabilities
1,975 bug bounty programs, 3,891 websites
45,710 researchers, 1,643 honor badges

Personyze LC Bug Bounty Program

Personyze LC runs a bug bounty program to ensure the highest security and privacy of its websites. Everyone is eligible to participate in the program subject to the below-mentioned conditions and requirements of Personyze LC

Open Bug Bounty performs triage and verification of the submissions. However, we never intervene to the further process of vulnerability remediation and disclosure between Personyze LC and researchers.

Bug bounty program allow private submissions only.

Bug Bounty Scope

The following websites are within the scope of the program:

*.personyze.com
*.personyze.com

Non-Intrusive Submissions Handling

The following section encompasses submission of the vulnerabilities that do not require intrusive testing as per Open Bug Bounty rules:

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

General Requirements:

PLEASE READ CAREFULLY:
Vulnerability types that qualify for the program include in the https://counter.personyze.com/stat-track-lib.js only :

Depending on their impact, not all reported issues may qualify for a monetary reward. Please refrain from:
Denial of Service (DoS) or performing other actions that may negatively affect Personyze users (spam)
Accessing private information (so use test accounts)
Sending reports from automated tools without verifying them
The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):
WordPress issues, sites builts on WordPress
Rendering HTML content without security impact. Rendering HTML content must demonstrate javascript execution or some other malicious action.
Triggering emails to be sent to another users account
Pages and content cached after logout
Password complexity requirements
User or account ID enumeration
Issues related to software or protocols not under Personyze control
Vulnerabilities in third-party applications or services which use or integrate with Personyze
wiki.personyze.com
blog.Personyze.com / www.Personyze.com/blog - WordPress,
cdn.personyze.com - an internal-only site
counter.personyze.com
Vulnerabilities in third-party applications that are integrated with the Personyze product via developer platform components, such as OAuth and Canvas
Dangling DNS Records - Issues related to stale CNAME records or any other DNS record
Vulnerabilities affecting users of outdated browsers or platforms
Social engineering of Personyze staff or contractors or physical attempts against property
Reports relating to email spoofing (inadequate SPF, DKIM and DMARC configurations)
Reports relating to HSTS - we can't enable it yet but plan to
Reports related to shared computer accounts
Support system accessed via the 'Provide Feedback' link.
Generally, non-qualifying Web-related bug reports have little or no practical significance to product security. Google Bughunter University has a great writeup of bugs that fall into this category - https://sites.google.com/site/bughunteruniversity/nonvuln

Testing Requirements:

PLEASE READ CAREFULLY:
Vulnerability types that qualify for the program include in the https://counter.personyze.com/stat-track-lib.js only :
Personyze customers embed a small Javascript snippet into their web pages. This javascript is served from a CDN. The javascript contains the logic for the personalization. This is the most sensitive part of our product and we are particularly interested in vulnerabilities related to this snippet.
Vulnerability types that qualify for the program include in the https://counter.personyze.com/stat-track-lib.js only :
Cross-Site Scripting
SQL Injection
Remote Code Execution
Cross-Site Request Forgery
Directory Traversal

Possible Awards:

Technical severity under https://counter.personyze.com/stat-track-lib.js:
Critical $100
Severe $50
Not include any issues under www.personyze.com

Community Rating

Provided by security researchers who reported security vulnerabilities via this bug bounty program:

 
Response Time  Information How quickly researchers get responses to their submissions.
Remediation Time  Information How quickly reported submissions are fixed.
Cooperation and Respect  Information How fairly and respectfully researchers are being treated.

Researcher's comments

pwn_box     30 July, 2020
    pwn_box:
Hello team can you please share you email so that I can report the bug apart from these .

- Cross Site Scripting (XSS)
- Open Redirect

- Cross Site Request Forgery (CSRF)
- Improper Access Control

  Latest Patched

 18.03.2024 agustiniano.edu.ar
 18.03.2024 armfox.am
 18.03.2024 delaur.am
 18.03.2024 money.udn.com
 17.03.2024 vtc.gov.tw
 17.03.2024 angra.rj.gov.br
 17.03.2024 sporthotel.am

  Latest Blog Posts

04.12.2023 by BAx99x
Unmasking the Power of Cross-Site Scripting (XSS): Types, Exploitation, Detection, and Tools
04.12.2023 by a13h1_
$1120: ATO Bug in Twitter’s
04.12.2023 by ClumsyLulz
How I found a Zero Day in W3 Schools
04.12.2023 by 24bkdoor
Hack the Web like a Pirate: Identifying Vulnerabilities with Style
04.12.2023 by 24bkdoor
Navigating the Bounty Seas with Open Bug Bounty

  Recent Recommendations

    16 March, 2024
    TorutheRedFox:
Thanks for the help with the XSS vulnerability. It was a quick fix.
    12 March, 2024
    fsousa:
Pooja found an XSS vulnerability in one of our websites and ethically reported it to us, providing all the information required for us to fix the site.
All the communication was so fast, almost real time!
We thank you very much for the time and knowledge shared with us!
    7 March, 2024
    ramram:
Reported an XSS vulnerability in our website.
    7 March, 2024
    jasongiss:
Thank you for your responsible and helpful disclosure.

We really appreciated that you followed up shortly afterwards and suggested a better implementation of our fix.

I'm very impressed with your approach - thank you!
    27 February, 2024
    GTCoSWeb:
Dipu1a helped notify us of a possible link exposure so we could remedy it quickly to avoid any issues.